Sunday, November 2, 2014

Beginning Risk Assessment

Recently, I had the opportunity to conduct a formal risk assessment for Fictional Inc. This was my first opportunity at a formal risk assment and I must say it was quite an interesting activity. It allowed me to see things from a perspective for which, while I may have thought about it and have done it I never had to document it formally. The documentation aspect is the most important part. So without further ado, let's get cracking.

Fictional Inc.

Information
Technology Risk Assessment

Prepared
for

Fictional
Inc.

Prepared
By

Nik
Alleyne

2014-09-02

EXECUTIVE SUMMARY
Fictional Inc. requested of Nik Alleyne, to perform a formal Risk Analysis to
identity the threats posed to the company. This Risk Analysis also aims to
identify technical vulnerabilities within Fictional Inc. infrastructure while
identifing and or proposing possible countermeasures.

Fictional Inc. is a small grocery
retailer and currently does not have an IT staff. Its IT support issues are
contracted out to a third party.

This assessment
identified 2 critical vulnerabilities which should be immediately addressed
by Fictional Inc.’s management

DETAILED ASSESSMENT

1.Introduction

1.1Purpose

The
purpose of this Risk Assessment is to identify the threats and vulnerabilities
related to the operating of Fictional Inc. Through the identification of these
threats and vulnerabilities, the relevant countermeasures will be recommended.

1.2Scope of this Risk Assessment
Fictional Inc.’s systems comprises of a PFSense based firewall, a Wireless
Access Point which also performs switching functionality. In addition the
infrastructure also contains a Windows 2003 Server, Windows 8.1 and Windows XP Desktops.
Mobile platforms such as Android 4.0 and Blackberry 10,2 are also in use.

All
of the systems mentioned above are within scope of this formal Risk Assessment.

The Nessus Vulnerability Scanner was
used for identifying technical vulnerabilities.

Vulnerability Sources

Vulnerabilities were primarily
determined based on results received from the Nessus Vulnerability Scanner.

US-Cert

Cisco Systems

Countermeasures sources

SANS Critical Security Controls for
Effective Cyber Defense.

2.3Identifying Threats

Credible
Threats

Malicious
Use

Compromise
user accounts

Power
Loss

System
Failure

System
Compromise

Unauthorized
Access

2.4Risk Model Approach

The
Risk Model used to conduct Fictional Inc.’s Risk Assessment is based on the
Risk Assessment methodology used by OWASP.

Risk
= Likelihood * impact

Threat
Likelihood (Weight)

Threat Rating

Threat Description

High (1.0)

The probability that a threat can exploit
an identified vulnerability is very high as the source may have the means,
motives and opportunity to exploit the vulnerabilities. In addition, the
current controls to mitigate this threat is ineffective.

Medium (0.5)

The probability that this threat will
occur is medium. Current controls may be effective in mitigating this threat.

Low (0.1)

The probability that this threat can
be exploited is very low. In addition, the controls in place are effective in
mitigating the threats.

Impact
Rating

Impact
Description

High (100)

Occurrence of this risk may result in:
i. Financial loss to the business

The
diagram below identifies all the devices within scope of this Risk Assessment

4.Vulnerability
Statement

4.1The following vulnerabilities were
identified.

No.

Vulnerability

Description

1.

Use of magnetic stripe card reader

The use of magnetic stripe card reader
is a critical vulnerability at this time. This vector is being constantly
exploited to gain access to Credit Card Track data.

2.

Unsupported
Operating System

The use of unsupported operating
systems is a critical vulnerability since vendor issued patches and updates
may no longer be available.

3.

SSL Certificate
Cannot Be Trusted

Users would be
unable to verify the authenticity and identity of the systems. This could
make it easier to carry out man-in-the-middle attacks.

4.

DNS Server Cache
Snooping Remote Information Disclosure

This may allow a
remote attacker to determine which domains have recently been resolved via
this name server, and therefore which hosts have been recently visited.

5.

Web Server
Generic XSS

The remote host is
running a web server that fails to adequately sanitize request strings of
malicious JavaScript. By leveraging this issue, an attacker may be able to
cause arbitrary HTML and script code to be executed in a user's browser
within the security context of the affected site.

6.

Lack of
Centralized Authentication

This makes it difficult to disable an
account if compromised. In addition, it means that passwords & other user
and computer controls cannot be done centrally.

5.Risk
Assessment Results

Risk No.

Vulnerability

Threat

Risk of Compromise

Risk Summary

Risk Likelihood rating

Risk Impact rating

Overall Risk Rating

Analysis ofRelevant Controls

Recommendations

1.

Use of magnetic stripe card reader

Unauthorized Access
Unauthorized Use
Malicious Use

System Compromise

Confidentiality and Integrity of
Fictional Inc. data may be lost

The use of magnetic stripe card reader
is a critical vulnerability at this time. This vector is being constantly
exploited to gain access to Credit Card Track data.

High

High

High

None

Fictional Inc. should consider working
with a vendor who provides POS terminals that uses hardware based encryption,
since Fictional Inc. does not control the production and or distribution of
Credit Cards.
Consider implementing Firewall rules which restrict access to the POS systems

2.

Unsupported
Operating System

Unauthorized Access
System Compromise
Malicious Use

Confidentiality, Integrity and
Availability of data and systems

The use of unsupported operating
systems is a critical vulnerability since vendor issued patches and updates
may no longer be available.

High

Medium

Medium

Currently no controls are in place for
mitigating this risk.

Fictional Inc. should consider
implementing a software inventory and or patch management system which allows
it to track its currently installed used software versions

3.

SSL Certificate
Cannot Be Trusted

Unauthorized Access

System Compromise

Integrity of Fictional Inc. data can
be compromised

Users would be
unable to verify the authenticity and identity of the systems. This could
make it easier to carry out man-in-the-middle attacks.

Medium

High

Medium

None

Ensure all new services requiring
certificate services uses a certificate signed by a trusted third party

4.

DNS Server Cache
Snooping Remote Information Disclosure

Malicious Use

Unauthorized Access

Availability of Fictional Inc.
Infrastructure can be compromised

This may allow a
remote attacker to determine which domains have recently been resolved via
this name server, and therefore which hosts have been recently visited.

Low

High

Low

Currently none exists. However, a plan
is in place for obtaining a software patch from the DNS software vendor

Fictional Inc. should consider
implementing a software inventory and or patch management system which allows
it to track its currently installed used software versions

5.

Web Server
Generic XSS

Unauthorized use
Unauthorized Access

System Compromise

Confidentiality and Integrity of
Fictional Inc. data

The remote host is running a web server that fails to
adequately sanitize request strings of malicious JavaScript. By leveraging
this issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.

Medium

Medium

Medium

The control in place for this
vulnerability is the Firewall. Access to this device is only granted to
specific systems.

Conduct quarterly vulnerability scan
to ensure these types of vulnerability can be detected.
Conduct quarterly reviews of the firewall rules

6.

Lack of
Centralized Authentication

Unauthorized useUnauthorized Access
System Compromise

Confidentiality

This makes it difficult to disable an
account if compromised. In addition, it means that passwords & other user
and computer controls cannot be done centrally.

Medium

Medium

Medium

No control is currently in place to
address user authentication

Fictional Inc. should implement a
centralized Directory Server, which allows for the ability of controlling
both users and their computers.

2 comments:

just saw this today, its amazing..liked your detailed approach. thinking if we have to perform many RAs with different contexts at once .. how can we do it quickly .. like with some excel based approach?

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis